Magazine article Reason

The Cybersecurity-Industrial Complex: The Feds Erect a Bureaucracy to Combat a Questionable Threat

Magazine article Reason

The Cybersecurity-Industrial Complex: The Feds Erect a Bureaucracy to Combat a Questionable Threat

Article excerpt


IN THE LAST TWO YEARS, approximately 50 cybersecurity-related bills have been introduced in Congress. In May the White House released its own cybersecurity legislative proposal. The Federal Communications Commission and the Commerce Department have each proposed cybersecurity regulations of their own. Last year, Senate Armed Services Committee Chairman Carl Levin (D-Mich.) even declared that cyberattacks might approach "weapons of mass destruction in their effects." A rough Beltway consensus has emerged that the United States is facing a grave and immediate threat that can only be addressed by more public spending and tighter controls on private network security practices.

But there is little clear, publicly verified evidence that cyber attacks are a serious threat. What we are witnessing may be a different sort of danger: the rise of a cybersecurity-industrial complex, much like the military-industrial complex of the Cold War, that not only produces expensive weapons to combat the alleged menace but whips up demand for its services by wildly exaggerating our vulnerability.

The Regulatory Urge

The proposals on the table run the gamut from simple requests for more research funding to serious interventions in the business practices of online infrastructure providers. The advocates of these plans rarely consider their costs or consequences.

At one end of the spectrum, there have been calls to scrap the Internet as we know it. In a 2010 Washington Post op-ed, Mike McConnell, former National Security Agency chief and current Booz Allen Hamilton vice president, suggested that "we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment--who did it, from where, why and what was the result--more manageable." Former presidential cybersecurity adviser Richard Clarke has recommended the same. "Instead of spending money on security solutions," he said at a London security conference last year, "maybe we need to seriously think of redesigning network architecture, giving money for research into the next protocols, maybe even think about another, more secure Internet."

A re-engineered, more secure Internet is likely to be a very different Internet than the open, innovative network we know today. A government that controls information flows is a government that will attack anonymity and constrict free speech. After all, the ability to attribute malicious behavior to individuals would require users to identify themselves (or be identifiable to authorities) when logging on. And a capability to track and attribute malicious activities could just as easily be employed to track and control any other type of activity.

Many current and former officials, from Clarke to FBI Director Robert Mueller, have proposed requiring private networks to engage in deep packet inspection of Internet traffic, the online equivalent of screening passengers' luggage, to filter out malicious data and flag suspicious activity. The federal government already engages in deep packet inspection on its own networks through the Department of Homeland Security's "Einstein" program. Mandating the same type of monitoring by the Internet's private backbone operators--essentially giving them not just a license but a directive to eavesdrop--would jeopardize user privacy.

There have also been proposals at the FCC and in Congress for the certification or licensing of network security professionals, as well as calls for mandating security standards. While certification may seem harmless, occupational licensing mandates should never be taken lightly; they routinely restrict entry, reduce competition, and hamper innovation. Politicians have also called for substantial new government subsidies, including the creation of regional cybersecurity centers across the country to help medium-sized businesses protect their networks.

Many of the bills would mandate a new cybersecurity bureaucracy within either the Department of Homeland Security or the Defense Department. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.